Lucene search
K

89 matches found

NVD
NVD
added 2026/07/06 9:16 a.m.13 views

CVE-2026-49086

Improper Input Validation, Unintended Proxy or Intermediary 'Confused Deputy' vulnerability in Apache Camel DAPR component. The camel-dapr Dapr Pub/Sub consumer DaprPubSubConsumer copied two fields from each inbound CloudEvent - its Pub/Sub component name and its topic - into the...

6.5CVSS0.00426EPSS
Exploits0References2
CVE
CVE
added 2026/07/06 8:10 a.m.14 views

CVE-2026-49086

CVE-2026-49086 (Apache Camel DAPR): Affects Camel DAPR Pub/Sub consumer where inbound CloudEvent fields pub/sub-name and topic are copied into routing headers (CamelDaprPubSubName, CamelDaprTopic). The headers are used to direct where messages are published, enabling an attacker who can publish t...

6.5CVSS6AI score0.00426EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/07/06 8:10 a.m.7 views

CVE-2026-49086

Improper Input Validation, Unintended Proxy or Intermediary 'Confused Deputy' vulnerability in Apache Camel DAPR component. The camel-dapr Dapr Pub/Sub consumer DaprPubSubConsumer copied two fields from each inbound CloudEvent - its Pub/Sub component name and its topic - into the...

6AI score0.00426EPSS
Exploits0References2Affected Software1
EUVD
EUVD
added 2026/07/06 8:10 a.m.7 views

EUVD-2026-41842

Improper Input Validation, Unintended Proxy or Intermediary 'Confused Deputy' vulnerability in Apache Camel DAPR component. The camel-dapr Dapr Pub/Sub consumer DaprPubSubConsumer copied two fields from each inbound CloudEvent - its Pub/Sub component name and its topic - into the...

6.5CVSS6AI score0.00426EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/07/06 8:10 a.m.34 views

CVE-2026-49086 Apache Camel Dapr: Pub/Sub consumer copied the inbound CloudEvent's pub/sub-name and topic into producer-direction routing headers, allowing an actor who can publish to the subscribed topic to influence internal behaviour

Improper Input Validation, Unintended Proxy or Intermediary 'Confused Deputy' vulnerability in Apache Camel DAPR component. The camel-dapr Dapr Pub/Sub consumer DaprPubSubConsumer copied two fields from each inbound CloudEvent - its Pub/Sub component name and its topic - into the...

0.00426EPSS
Exploits0References1
OSV
OSV
added 2026/07/06 8:10 a.m.3 views

CVE-2026-49086 Apache Camel Dapr: Pub/Sub consumer copied the inbound CloudEvent's pub/sub-name and topic into producer-direction routing headers, allowing an actor who can publish to the subscribed topic to influence internal behaviour

Improper Input Validation, Unintended Proxy or Intermediary 'Confused Deputy' vulnerability in Apache Camel DAPR component. The camel-dapr Dapr Pub/Sub consumer DaprPubSubConsumer copied two fields from each inbound CloudEvent - its Pub/Sub component name and its topic - into the...

6.5CVSS6.2AI score0.00426EPSS
Exploits0References5
NVD
NVD
added 2026/07/02 8:17 p.m.8 views

CVE-2026-59096

Dapr Sentry's OIDC discovery endpoint derives the issuer and jwksuri of the /.well-known/openid-configuration document from the request Host, honoring an attacker-controlled X-Forwarded-Host header without validation when no allowed-hosts list is configured the default, and serves the document wi...

8.2CVSS0.00246EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/07/02 7:41 p.m.10 views

CVE-2026-59096

Dapr Sentry's OIDC discovery endpoint derives the issuer and jwksuri of the /.well-known/openid-configuration document from the request Host, honoring an attacker-controlled X-Forwarded-Host header without validation when no allowed-hosts list is configured the default, and serves the document wi...

8.2CVSS5.8AI score0.00246EPSS
Exploits0References5Affected Software1
EUVD
EUVD
added 2026/07/02 7:41 p.m.9 views

EUVD-2026-41427

Dapr Sentry's OIDC discovery endpoint derives the issuer and jwksuri of the /.well-known/openid-configuration document from the request Host, honoring an attacker-controlled X-Forwarded-Host header without validation when no allowed-hosts list is configured the default, and serves the document wi...

8.2CVSS5.8AI score0.00246EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/07/02 7:41 p.m.11 views

CVE-2026-59096 Dapr - OIDC Discovery Issuer and JWKS URI Injection via Unvalidated X-Forwarded-Host

Dapr Sentry's OIDC discovery endpoint derives the issuer and jwksuri of the /.well-known/openid-configuration document from the request Host, honoring an attacker-controlled X-Forwarded-Host header without validation when no allowed-hosts list is configured the default, and serves the document wi...

8.2CVSS6AI score0.00246EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/07/02 7:41 p.m.36 views

CVE-2026-59096 Dapr - OIDC Discovery Issuer and JWKS URI Injection via Unvalidated X-Forwarded-Host

Dapr Sentry's OIDC discovery endpoint derives the issuer and jwksuri of the /.well-known/openid-configuration document from the request Host, honoring an attacker-controlled X-Forwarded-Host header without validation when no allowed-hosts list is configured the default, and serves the document wi...

8.2CVSS0.00246EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.16 views

PT-2026-55297

Name of the Vulnerable Software and Affected Versions Dapr affected versions not specified Description Dapr Sentry's OIDC discovery endpoint /.well-known/openid-configuration derives the issuer and jwks uri from the request Host. When no allowed-hosts list is configured, the system honors an...

8.2CVSS6AI score0.00246EPSS
Exploits0References8
Chainguard
Chainguard
added 2026/06/23 8:16 a.m.9 views

CVE-2026-41178 vulnerabilities

Vulnerabilities for packages: kuberay-apiserver, terraform-provider-grafana, kube-arangodb-fips, art, flux, drone-fips, cilium, crossplane-provider-aws-cloudtrail, go-sqlcmd, grafana-mimir, docker-machine-driver-harvester, flux-image-reflector-controller, harbor-registry,...

5.3CVSS6.1AI score0.00237EPSS
Exploits0
Chainguard
Chainguard
added 2026/06/23 8:16 a.m.11 views

GHSA-5WRP-CWCJ-Q835 vulnerabilities

Vulnerabilities for packages: kuberay-apiserver, terraform-provider-grafana, kube-arangodb-fips, art, flux, drone-fips, cilium, crossplane-provider-aws-cloudtrail, go-sqlcmd, grafana-mimir, docker-machine-driver-harvester, flux-image-reflector-controller, harbor-registry,...

6.1AI score
Exploits0
NVD
NVD
added 2026/05/08 2:16 p.m.10 views

CVE-2026-41491

Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. From versions 1.3.0 to before 1.15.14, 1.16.0-rc.1 to before 1.16.14, and 1.17.0-rc.1 to before 1.17.5, a vulnerability has been found in Dapr that allows bypassing access control policies for...

8.1CVSS0.00325EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/05/08 1:11 p.m.8 views

CVE-2026-41491 Dapr: Service Invocation path traversal ACL bypass

Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. From versions 1.3.0 to before 1.15.14, 1.16.0-rc.1 to before 1.16.14, and 1.17.0-rc.1 to before 1.17.5, a vulnerability has been found in Dapr that allows bypassing access control policies for...

8.1CVSS5.7AI score0.00325EPSS
Exploits0References2
EUVD
EUVD
added 2026/05/08 1:11 p.m.14 views

EUVD-2026-28553

Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. From versions 1.3.0 to before 1.15.14, 1.16.0-rc.1 to before 1.16.14, and 1.17.0-rc.1 to before 1.17.5, a vulnerability has been found in Dapr that allows bypassing access control policies for...

8.1CVSS5.7AI score0.00325EPSS
Exploits0References2
CVE
CVE
added 2026/05/08 1:11 p.m.13 views

CVE-2026-41491

CVE-2026‑41491 affects Dapr. An ACL bypass vulnerability in service invocation lets an attacker exploit reserved URL characters and path traversal sequences in method paths, causing the access control policy to be evaluated against a different path than what the target application receives. The m...

8.1CVSS5.7AI score0.00325EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/05/08 1:11 p.m.4 views

CVE-2026-41491 Dapr: Service Invocation path traversal ACL bypass

Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. From versions 1.3.0 to before 1.15.14, 1.16.0-rc.1 to before 1.16.14, and 1.17.0-rc.1 to before 1.17.5, a vulnerability has been found in Dapr that allows bypassing access control policies for...

8.1CVSS5.8AI score0.00325EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/05/08 12:0 a.m.18 views

Dapr 路径遍历漏洞

Dapr is a portable, serverless, event-driven runtime developed by Dapr Open Source. Versions of Dapr from 1.3.0 to 1.15.14, as well as versions from 1.16.0-rc.1 to 1.16.14 and from 1.17.0-rc.1 to 1.17.5, have a path traversal vulnerability. This vulnerability stems from the use of reserved URL...

8.1CVSS5.8AI score0.00325EPSS
Exploits0References1
Rows per page
Query Builder